台灣咖啡網網站被植入惡意連結

2008 年 10 月 13 日 – 13:08:34

台灣咖啡網網站被植入惡意連結,此惡意程式為 Trojan-Downloader.Win32.ACVE.am,最近有瀏覽這個網頁的網友,請要盡速檢查自己的電腦是否有中毒的情形。

台灣咖啡網網址為 hxxp://coffee.24h.com.tw。

惡意連結/程式碼是放置在上述網址 (其他網頁,應該要仔細檢查) 中的:

下面是網頁信譽評等掃描的結果:

Google Search 查詢結果(發現異狀),如下圖所示:

阿碼科技 HackAlert (偵測惡意行為) 查詢結果(發現異狀),如下圖所示:

McAfee SiteAdvisor 查詢結果(未發現異狀),如下圖所示:

趨勢科技網頁信譽評等查詢結果(發現異狀),如下圖所示:

finjan 網頁信譽評等查詢結果(未發現異狀),如下圖所示:

Dr.Web 網頁信譽評等查詢結果(未發現異狀),如下圖所示:

Exploit Prevention Labs 網頁信譽評等查詢結果(未發現異狀),如下圖所示

賽門鐵克 Safe Web 查詢結果(未發現異狀),如下圖所示:

執行之後,有下面的行為:

[Added process]
C:\WINDOWS\system32\woauolt.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svDE.tmp
C:\WINDOWS\system32\System.exe

[DLL injection]
C:\WINDOWS\system32\HBDNF.dll
C:\WINDOWS\system32\HBmhly.dll
C:\WINDOWS\system32\HBSO2.dll
C:\WINDOWS\system32\HBSOUL.dll
C:\WINDOWS\system32\HBWOW.dll

[Added service]
NAME: HBKernel32
DISPLAY: HBKernel32 Driver
FILE: \SystemRoot\system32\drivers\HBKernel32.sys

[Added file]
C:\005C0494\6036485
C:\005C0494\6048171
C:\Documents and Settings\Administrator\Local Settings\Temp\GameeeEeee.pif
C:\Documents and Settings\Administrator\Local Settings\Temp\Gameeeeeee.vbs
C:\Documents and Settings\Administrator\Local Settings\Temp\svDE.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\b2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\fxx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\fx[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ko[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\Ms06014[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\Real[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\ss[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\C13NVBMZ\uin1[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\1936348[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\b2[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OXI7BCE5\ilink[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q08VKCK4\ave3[1].htm
C:\WINDOWS\system32\drivers\HBKernel32.sys
C:\WINDOWS\system32\HBDNF.dll
C:\WINDOWS\system32\HBmhly.dll
C:\WINDOWS\system32\HBSO2.dll
C:\WINDOWS\system32\HBSOUL.dll
C:\WINDOWS\system32\HBWOW.dll
C:\WINDOWS\system32\System.exe
C:\WINDOWS\system32\woauolt.exe

[Added registry]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=361kary
Data=C:\WINDOWS\system32\woauolt.exe

HKLM
SubKey=SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value=HBService32
Data=System.exe

下列是 VirusTotal 掃描結果 (僅提供參考):

File a1.css received on 10.12.2008 15:18:22 (CET)

Result: 26/36 (72.22%)
Antivirus     Version     Last Update     Result
AhnLab-V3     –     –     -
AntiVir     –     –     TR/Spy.Gen
Authentium     –     –     W32/OnlineGames.AJ.gen!Eldorado
Avast     –     –     -
AVG     –     –     Downloader.Generic7.AYKZ
BitDefender     –     –     -
CAT-QuickHeal     –     –     (Suspicious) – DNAScan
ClamAV     –     –     Trojan.Killav-222
DrWeb     –     –     DLOADER.Trojan
eSafe     –     –     Suspicious File
eTrust-Vet     –     –     -
Ewido     –     –     -
F-Prot     –     –     W32/OnlineGames.AJ.gen!Eldorado
F-Secure     –     –     W32/Packed/FSG_2.A
Fortinet     –     –     PossibleThreat
GData     –     –     -
Ikarus     –     –     Trojan-Downloader.Win32.ACVE.am
K7AntiVirus     –     –     -
Kaspersky     –     –     Trojan-Downloader.Win32.ACVE.am
McAfee     –     –     New Malware.ab
Microsoft     –     –     TrojanDownloader:Win32/Dogrobot.A
NOD32     –     –     probably a variant of Win32/TrojanDownloader.Agent.OHA
Norman     –     –     W32/Packed_FSG.D
Panda     –     –     Suspicious file
PCTools     –     –     Packed/FSG
Prevx1     –     –     Suspicious
Rising     –     –     Trojan.DL.Win32.Mnless.bhg
SecureWeb-Gateway     –     –     Trojan.Spy.Gen
Sophos     –     –     Mal/Packer
Sunbelt     –     –     VIPRE.Suspicious
Symantec     –     –     Trojan.KillAV
TheHacker     –     –     -
TrendMicro     –     –     Cryp_Bits
VBA32     –     –     -
ViRobot     –     –     -
VirusBuster     –     –     Packed/FSG

Additional information
MD5: 76ee6dc4b227d2c99766c7f7be545bdb
SHA1: c22ec8f4e36f8ef699b0eae46e8676aaf0962c3d
SHA256: e3c4a6a04c0ab2bfc87bb93970737f471e7359d675db89c8c39f8cc9d1a9e588
SHA512: 3ac03898028e026d02447476a65979b3e79e29c84c66f6b034bbd3d346943eecc07a1bab293f9f50b67e6d0b9c3f83151864fd78552e691ea380c5d19133fc24

  1. “台灣咖啡網網站被植入惡意連結” 目前有 2 迴響

  2. Hi Roger,
    前幾天去flashget官方網站抓軟體,居然給我中毒,應該也是惡意連結造成的,唉…只好乖乖重灌,不過我想請問的就是,這種惡意連結有辦法防範嗎?

    By Harvey on 2008 年 10 月 15 日 - 12:04:02

  3. 請問是哪個軟體,下載網址在哪呢?

    你問的問題,是偵測率的問題,如果防護軟體無法偵測,那你可能就中獎,比較好的方式就是關閉ActiveX, JavaScript等功能,或用其他瀏覽器(非IE)。

    By Roger on 2008 年 10 月 15 日 - 21:14:17

請在此留下您的意見

大砲開講 is proudly powered by WordPress Entries (RSS) and Comments (RSS).